Trying to build containers from Ray wheels

How severe does this issue affect your experience of using Ray?

• High: this is blocking production use of Ray, due to failing security audits
• related to https://discuss.ray.io/t/ray-wheel-not-supported/1958

Are there any working examples of downloading wheels for specific versions of Ray from Amazon AWS? In particular, we’d like to download a release in the range of 1.9.x through 1.11.x for Python 3.8 on Linux.

The docs all seem to point to using this wheel (either its Py 3.7 or 3.8 version):
https://s3-us-west-2.amazonaws.com/ray-wheels/latest/ray-2.0.0.dev0-cp38-cp38-manylinux2014_x86_64.whl

While that URL works, it appears to be for release 2.0.0.dev0 (whatever that is).
In “Installing from a specific commit” the docs say to use a URL in the format:

https://s3-us-west-2.amazonaws.com/ray-wheels/master/{COMMIT_HASH}/ray-{RAY_VERSION}-{PYTHON_VERSION}-{PYTHON_VERSION}m-{OS_VERSION}.whl

The example in the docs is https://s3-us-west-2.amazonaws.com/ray-wheels/master/ba6cebe30fab6925e5b2d9e859ad064d53015246/ray-2.0.0.dev0-cp37-cp37m-macosx_10_15_intel.whl which returns a 404 error.

I’ve tried many other variations of this, however the only other version that appears to be available for download is:
https://s3-us-west-2.amazonaws.com/ray-wheels/latest/ray-1.7.0-cp38-cp38-manylinux2014_x86_64.whl

Also, I’ve never seen a working example of an available wheel based on a commit hash.

• Do any of these exist?
• Is there an actual list of which wheels are available?

FWIW, I’m asking because the Ray images on DockerHub will not pass our corporate security audits. We need to be able to build our own container images for Ray to run on K8s on Azure.

We must use a release that’s later than 1.7.x due to the log4j vulnerability.

Unfortunately, the build-docker.sh script within the Ray repo is not friendly for development work in regulated corporate environments; it would be much more effective if the Ray repo had scripts that generated Dockerfile source instead, then built container images from those.

Another suggestion would be for Ray to use grype, as part of the CI pipeline, to scan container images for vulnerabilities.

As an alternative approach, are there any full Dockerfile examples for running Ray on K8s?

If it helps, here’s what we’ve been working on, regarding the Ray base images and security issues:

• Docker Hub
• GitHub - DerwenAI/ray_base: Docker build for a base image for running Ray on K8s on Azure

WIP: now testing on AKS, and there’s much iteration still needed for resolving any HIGH severity issues

cc @simon-mo do you have answers for this question?

try changing the 10_15 to 10_13. this follow works https://s3-us-west-2.amazonaws.com/ray-wheels/master/ba6cebe30fab6925e5b2d9e859ad064d53015246/ray-2.0.0.dev0-cp37-cp37m-macosx_10_13_intel.whl

The reason was that we bumped minimal macOS version to build the wheel.

For all the release wheels, their S3 artifacts are kept indefinitely.

Thank you @simon-mo
Although, I believe the “Installing from a specific commit” section still has errors in what it shows about constructing an URL for a wheel for a specific release.